Jump to content

Incorrect password?


3raser

Recommended Posts

The password ARE correct. My code keeps saying that the password is INCORRECT. The password is MD5'ed once a user registers, and when they type in a password at the login (as shown), the password is also MD5'ed.

 

Why is it that it's output is incorrect password?

 

<?php
session_start();
include("includes/mysql.php");
include("includes/config.php");

?>


<title><?php echo $title; ?></title>

	<?php
	if(!$_SESSION['user'])
	{

	$username = $_POST['username'];
	$password = $_POST['password'];

	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);

	if(!$password || !$username)
	{

		echo
		'
		<h1>Login</h1>

					<center><p><form action="login.php" method="POST">
					<table border="0">
					<tr><th>Username:</th> <td><input type="text" name="username" maxlength="20"><br/></td></tr>
					<tr><th>Password:</th> <td><input type="password" name="password" maxlength="30"><br/></td></tr>
					<tr><th></th><td><input type="submit" value="Login"></td></tr>
					</table></form></p></center>
			</div>
		';

	}
	else
	{
	 $query = mysql_query("SELECT COUNT(username),password,username FROM users WHERE username='$username'");
	 $check = mysql_fetch_assoc($query);

	 $db_username = $check['username'];

	 $password = md5($password);

	 if($check['COUNT(username)'] < 1)
	 {
		echo
		'
				 <p>No account exists with this username. Please go back.</p>
		';
	 }
	 elseif($check['password']==$password && $db_username==$username)
	 {
		echo
		'
		<h1>Login Successful</h1>

				 <p>You have successfully logged in! Return home.</p>

		';
		$_SESSION['user']=$username;
	 }
	 else
	 {
			echo
			'
					 <p>The password you have enetered in is incorrect. Please go back.</p>

			';
	 }
	}
	}
	else
	{
			echo
			'
					 <p>Your already logged in!</p>
			';
	}
	?>

Link to comment
https://forums.phpfreaks.com/topic/223622-incorrect-password/
Share on other sites

Your entire authentication logic is flawed as well IMO.

 

if ($result = mysql_query("SELECT id FROM users WHERE username = '$username' && `password` = '$password' LIMIT 1")) {
  if (mysql_num_rows($result)) {
    // valid, log user in
  } else {
    // invalid. show error
  }
} else {
  // query failed, handle error
}

 

Letting crackers know that they have a valid user name but not a valid pass & vice verso is never a good idea.

Link to comment
https://forums.phpfreaks.com/topic/223622-incorrect-password/#findComment-1155963
Share on other sites

Your entire authentication logic is flawed as well IMO.

 

if ($result = mysql_query("SELECT id FROM users WHERE username = '$username' && `password` = '$password' LIMIT 1")) {
  if (mysql_num_rows($result)) {
    // valid, log user in
  } else {
    // invalid. show error
  }
} else {
  // query failed, handle error
}

 

Letting crackers know that they have a valid user name but not a valid pass & vice verso is never a good idea.

 

No worries, I just had that in there to make sure the username variable was working correctly.

 

And this code of yours, is it a fix or just a better code organization?

 

Can you please point out what was wrong with my previous code? It's just the way I code, and I'd love to get a few pointers on how I could improve it.

Link to comment
https://forums.phpfreaks.com/topic/223622-incorrect-password/#findComment-1156528
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.